Silk Road forums

Discussion => Security => Topic started by: Sahara on April 16, 2012, 10:10 pm

Title: Virtual machines
Post by: Sahara on April 16, 2012, 10:10 pm
Evenin' all!

It has been suggested to me
that using a "virtual machine"
might be safer.

My question comes in two parts.

== First part ==

I have a computer that runs Windows 7.
Before you boo, hiss, or spit at me,
please be assured that I understand
the error of my ways.

I would like to be able to have a
Linux-Ubuntu OS installed on my
computer that runs independently
of my computer and its hard drive.

How could I have a virtual
Linux-Ubuntu machine
on my current computer
without having to delete Windows?

== Second part ==

If I were to implement such a device,
then just how traceable would it be?

Let's assume that someone who wanted
to know my business confiscated my
computer one day. What access would
 they have to my virtual machine?

It seems that having a computer running
Windows and Linux in parallel is as safe
as having two separate computers in the
same room. (Not safe at all!)

How do I get a truly anonymous
virtual machine running on my laptop
without having to wipe Windows?!
Title: Re: Virtual machines
Post by: a_blackbird on April 17, 2012, 05:34 am
Easiest thing to do is probably to put your Linux installation on a bootable, encrypted USB drive.  Don't even let any of your SR dealings ever touch your laptop hard drive.  Then, if someone gets ahold of your machine, you're fine.  If someone gets ahold of your USB drive, well, really, that's probably OK, too, since it's protected by full-disk encryption.
Title: Re: Virtual machines
Post by: Sahara on April 18, 2012, 02:37 pm
Easiest thing to do is probably to put your Linux installation on a bootable, encrypted USB drive.  Don't even let any of your SR dealings ever touch your laptop hard drive.  Then, if someone gets ahold of your machine, you're fine.  If someone gets ahold of your USB drive, well, really, that's probably OK, too, since it's protected by full-disk encryption.

Thanks for the reply. How might I go about getting an encrypted, bootable USB that contains Linux?
Title: Re: Virtual machines
Post by: Delta11 on April 18, 2012, 02:44 pm
Easiest thing to do is probably to put your Linux installation on a bootable, encrypted USB drive.  Don't even let any of your SR dealings ever touch your laptop hard drive.  Then, if someone gets ahold of your machine, you're fine.  If someone gets ahold of your USB drive, well, really, that's probably OK, too, since it's protected by full-disk encryption.

Thanks for the reply. How might I go about getting an encrypted, bootable USB that contains Linux?
Look into trucrypt and Liberte or any linux flavor of your choice. I would also wipe your current windows 7 harddrive several times using dban and start over since you most likely accessed TOR on it and have left traces of it. You can also use trucrypt to encrypt your windows 7 setup to deter anyone from even looking for your real TOR o/s (the usb drive).
Title: Re: Virtual machines
Post by: Sahara on April 18, 2012, 05:45 pm
Easiest thing to do is probably to put your Linux installation on a bootable, encrypted USB drive.  Don't even let any of your SR dealings ever touch your laptop hard drive.  Then, if someone gets ahold of your machine, you're fine.  If someone gets ahold of your USB drive, well, really, that's probably OK, too, since it's protected by full-disk encryption.

Thanks for the reply. How might I go about getting an encrypted, bootable USB that contains Linux?
Look into trucrypt and Liberte or any linux flavor of your choice. I would also wipe your current windows 7 harddrive several times using dban and start over since you most likely accessed TOR on it and have left traces of it. You can also use trucrypt to encrypt your windows 7 setup to deter anyone from even looking for your real TOR o/s (the usb drive).

I've looked up Liberté, but all I can find is information about the system itself. Not how to come into possession of an encrypted USB with it installed. Would I need to buy the USB and then download Liberté onto it, or can you just send off for pre-loaded USBs?

Also, do programs like dban really work? There was a case in the local newspaper about some paedo who'd "...used software in an attempt to wipe his computer...", but the police's techies still managed to find the stuff.
Title: Re: Virtual machines
Post by: Delta11 on April 18, 2012, 05:49 pm
Easiest thing to do is probably to put your Linux installation on a bootable, encrypted USB drive.  Don't even let any of your SR dealings ever touch your laptop hard drive.  Then, if someone gets ahold of your machine, you're fine.  If someone gets ahold of your USB drive, well, really, that's probably OK, too, since it's protected by full-disk encryption.

Thanks for the reply. How might I go about getting an encrypted, bootable USB that contains Linux?
Look into trucrypt and Liberte or any linux flavor of your choice. I would also wipe your current windows 7 harddrive several times using dban and start over since you most likely accessed TOR on it and have left traces of it. You can also use trucrypt to encrypt your windows 7 setup to deter anyone from even looking for your real TOR o/s (the usb drive).

I've looked up Liberté, but all I can find is information about the system itself. Not how to come into possession of an encrypted USB with it installed. Would I need to buy the USB and then download Liberté onto it, or can you just send off for pre-loaded USBs?

Also, do programs like dban really work? There was a case in the local newspaper about some paedo who'd "...used software in an attempt to wipe his computer...", but the police's techies still managed to find the stuff.
As far as I'm concerned there are no services that offer pre-loaded USBs encrypted with Liberte, but it's so easy you can do it on your own. dban definitely does work, the trick to dban is that the more times you wipe a drive the less likely they will be able to recover data. If you're really paranoid you can wipe your drive 7 times, sure it might take some time but it'll completely erase everything off your drive, it'll be impossible for them recover your data after that many wipes.
Title: Re: Virtual machines
Post by: The Godfather on April 18, 2012, 06:19 pm
Hi there,

You could try using Oracle VM Virtualbox. I have used this program to run my Linux OS on my Windows 7 PC. I would think that installing the program on a USB drive and installing your Linux on the USB drive would be your best bet. Virtualbox is also very easy to use and is very reliable. Encrypting the USB or password protecting it wouldn't hurt either!

Cheers,
The Godfather
Title: Re: Virtual machines
Post by: Nakorx on April 18, 2012, 10:07 pm
Hi People!
I am no expert, but I came across what I think is about the ultimate in anonymous browsing and security. It is a detailed step-by-step guide installing a virtual machine  in a secret partition made with TrueCrypt, using Oracle Virtual Box for Windows. The link is: http://4eiruntyxxbgfv7o.onion/paste/show.php?id=d1d879e959bcc020
The author even gives instructions on how to download and install everything!!
Title: Re: Virtual machines
Post by: Sahara on April 18, 2012, 10:17 pm
Hi People!
I am no expert, but I came across what I think is about the ultimate in anonymous browsing and security. It is a detailed step-by-step guide installing a virtual machine  in a secret partition made with TrueCrypt, using Oracle Virtual Box for Windows. The link is: http://4eiruntyxxbgfv7o.onion/paste/show.php?id=d1d879e959bcc020
The author even gives instructions on how to download and install everything!!

What legend... Thank you so much!
Title: Re: Virtual machines
Post by: Nakorx on April 18, 2012, 10:27 pm
Sorry, about my post above, that link should have been all on one line thus:
http://4eiruntyxxbgfv7o.onion/paste/show.php?id=d1d879e959bcc020

Title: Re: Virtual machines
Post by: Sahara on April 19, 2012, 11:18 pm
Sorry, about my post above, that link should have been all on one line thus:
http://4eiruntyxxbgfv7o.onion/paste/show.php?id=d1d879e959bcc020

It was always on one line on my screen. You must have a higher zoom factor than me ;o)
Title: Re: Virtual machines
Post by: vlad1m1r on April 19, 2012, 11:50 pm
Hi there,

You could try using Oracle VM Virtualbox. I have used this program to run my Linux OS on my Windows 7 PC. I would think that installing the program on a USB drive and installing your Linux on the USB drive would be your best bet. Virtualbox is also very easy to use and is very reliable. Encrypting the USB or password protecting it wouldn't hurt either!

Cheers,
The Godfather

An excellent suggestion Godfather and in fact it is entirely possible to run Liberte Linux using Virtualbox and a Virtual Hard disk image you can download from the Liberte Site - it's important to bear in mind that someone with physical access to your machine can analyse the virtual file used in place of an actual hard disk for your virtual machine just as easily as a physical disk.

As such I would suggest either using your virtual machine to install an encrypted OS like Liberte or putting the virtual hard disk file inside a Truecrypt container and pointing Virtualbox towards that. If anyone needs help setting this up, please feel free to send me a message.

V.
Title: Re: Virtual machines
Post by: mdmamail on April 20, 2012, 01:45 am
VMs are great for a vendor who has to print labels. I don't use Windows exploitable O/S, but my printers require it. Pirate any old windows edition and load it in a VM, afterwards encrypt the .VDI snapshot. No history anywhere of previously printed addresses..



Title: Re: Virtual machines
Post by: n1ll0 on August 22, 2012, 04:08 pm
If the OP is still looking for info, they might enjoy perusing http://pz65gyca5nrafhrf.onion/PolyFront_2/polyfront.html . It is a bit of a tutorial and informational site put together by the admin of the OVDB community (RIP). He/she is a security guru so there is a bunch of awesome info there.. albeit a little densely packed.

edit: I should clarify: this is not information specifically about virtual machines but rather anonymity and computer security generally.
Title: Re: Virtual machines
Post by: kmfkewm on August 22, 2012, 04:46 pm
I am not dead. I also no longer suggest that you use virtual machines in this way. Yes, it is a huge benefit to have firefox isolated away from Tor and external IP addresses. However, virtual machines are much easier to pwn than operating systems running on real hardware. If your virtual machine is easy to pwn, the attacker will just hack it and spy on your address as plaintext to deanonymize you, rather than breaking out of the VM after pwning firefox and getting your IP address to deanonymize you. And most people who are using virtual machines are not even using them in a way that offers any real security advantage, they are just running Tor and everything else in one VM. Xen seems better in some ways than virtualbox, it is used by Qubes after all and I do not think the person who made Qubes has no idea what they are doing, although Theo of OpenBSD fame and some other security researchers have said less than favorable things about the technique of isolating with virtual machines. However, even if the isolation by Xen approach is not inherently flawed, Xen lacks ASLR so even if it is less additionally vulnerable to being hacked than virtual box, you are still not going to be able to take advantage of all of the security of using real hardware. So in general, I believe in the majority of cases virtual machines should simply be entirely avoided. The only exception I would maybe make to this is using jails from FreeBSD.

Right now I am split between two techniques for isolating firefox and other non-tor network facing applications away from Tor and each other. The first would be to run Tor on one dedicated machine and firefox on another, then use a physical wire to connect them and route the firefox machines traffic through the Tor machine and Tor. This will give the exact same benefits as using virtual machines to accomplish this, without any of the disadvantages of virtual machines. The second technique is using SElinux sandbox for x level isolation and then writing a SElinux profile to prevent firefox from gaining access to external IP address in any way or doing geopositioning. Certainly using the two machines approach is a more all encompassing and foolproof solution though. Additionally, these techniques can be combined for a very high degree of isolation. Failing that you may still choose to use virtual machine based isolation, and it will certainly give you benefits, just be aware that it comes at a high cost and in some use cases the cost could actually nullify the benefits. I think for servers it is more suited than for people using firefox, but it still has the same disadvantages.
Title: Re: Virtual machines
Post by: kmfkewm on August 22, 2012, 05:11 pm
Yes if you have an air gap between your private keys / passphrases / plaintexts and the internet , I would still suggest using a virtual machine as a viable option. You essentially increase the risk that an attacker will be able to take total control of the VM while decreasing the risk that an attacker will be able to gain access to the host environment, versus having no additional isolation between applications and the host. It is pretty apparent that using Virtualbox isolation is adequate to protect somewhat from the feds, considering it saved the ass of freedom hosting...but using physical hardware isolation or a proper mandatory access control profile is probably closer to the 'correct' way of accomplishing this regardless.
Title: Re: Virtual machines
Post by: asd159dasf1a6sd57a on August 23, 2012, 08:46 pm
hmm... maybe I'm doing it wrong them
I run mac
I created a encrypted image file that I put all the following data in.

My wallet file (backed up elsewhere)
My Tor browser (I have another one in my apps folder for 'normal' browsing)
My PGP Keys
A program I wrote to track my orders
Text files with all my login information.


This is 256 AES encrypted. 

I just store this file on my computer and open it when needed.
My laptop is encrypted it'self and password protected.  So if the fuzz gets my laptop they would need to get/crack the password to the computer, THEN get/crack the password to the encrypted image.

I've thought about it and I think this is pretty safe.  after I close the encrypted image there is no evidence of my SR activities.
Title: Re: Virtual machines
Post by: glgreen on August 25, 2012, 04:08 pm
hmm... maybe I'm doing it wrong them
I run mac
I created a encrypted image file that I put all the following data in.

My wallet file (backed up elsewhere)
My Tor browser (I have another one in my apps folder for 'normal' browsing)
My PGP Keys
A program I wrote to track my orders
Text files with all my login information.


This is 256 AES encrypted. 

I just store this file on my computer and open it when needed.
My laptop is encrypted it'self and password protected.  So if the fuzz gets my laptop they would need to get/crack the password to the computer, THEN get/crack the password to the encrypted image.

I've thought about it and I think this is pretty safe.  after I close the encrypted image there is no evidence of my SR activities.

What are you using to encrypt the laptop drive? FileVault2 or something else?
Title: Re: Virtual machines
Post by: insideoutside on August 25, 2012, 07:58 pm
Hi People!
I am no expert, but I came across what I think is about the ultimate in anonymous browsing and security. It is a detailed step-by-step guide installing a virtual machine  in a secret partition made with TrueCrypt, using Oracle Virtual Box for Windows. The link is: http://4eiruntyxxbgfv7o.onion/paste/show.php?id=d1d879e959bcc020
The author even gives instructions on how to download and install everything!!

I have a spare laptop that will be used ONLY for the purpose of browsing privately online.  Everything has been completely wiped & a striped down version of win7 home reinstalled and only a few select programs downloaded discretely. 

How does the approach Nakorx linked to compare to using Liberte on a usb ?  Instead of just using a USB stick, the laptop becomes the usb stick with a monitor & internet access - completely mobile. (And disposable if necessary.)

I have Liberte downloaded, but also 3/4 of the way through the install in the link that Nakorx posted.  It does seem like a very secure setup, (goes beyond just surfing web anonymously)  just not sure how it compared to Liberte?

It requires to download Ubuntu, (which I'm familiar with) but was going to install Liberte in place of Ubuntu, but it seems I've hit a snag as the version of Liberte is strictly for the USB & doesn't have the live cd?  (I downloaded Liberte using the link in the main Sticky in the Security forum of how to browse SR anonymously)

Is there a LiveCD version of Liberte I can run in place of Ubuntu on a VM for the highlest level of security & encryption?

Can it even work like that?
Title: Re: Virtual machines
Post by: insideoutside on August 29, 2012, 07:34 am
Anyone?
Title: Re: Virtual machines
Post by: pine on August 29, 2012, 11:01 am
FYI I have a new Tutorial on using virtual machines for protecting against LE malware.

http://dkn255hz262ypmii.onion/index.php?topic=39320.0
Title: Re: Virtual machines
Post by: insideoutside on August 31, 2012, 08:07 am
I will check that out.  I was hoping someone could comment on the privacy aspect with the link that Nakorx posted to vs using liberte?
Title: Re: Virtual machines
Post by: pine on August 31, 2012, 02:50 pm
I will check that out.  I was hoping someone could comment on the privacy aspect with the link that Nakorx posted to vs using liberte?

It's not a bad idea (putting a VM into an encrypted Truecrypt partition).

Why not get a high speed USB (2.0, which is pretty standard and good enough, but if you have the budget go for 3.0 if you can and it's available and your machine's motherboard takes it etc).

This way all the evidence of your work is on a VM inside a encrypted partition on a piece of portable media. Plug it out, evidence gone. If it is discovered you can put in a false partition, after all you don't need much space to work with at all. That gives you plausible denability.

Also, look into using a MicroSD. I like these because they're super easy to hide, they're about the size of your fingernail but they can contain 32 Gb or so in memory whilst being fairly cheap.

This (USB or MicroSD) beats the crap out of having to get rid of an entire laptop if a possy of LE came through the front door.

As for your other question, I haven't done it with Liberte myself, but I see no reason why you shouldn't be able to use Liberte as a virtual machine. I don't understand where there is a problem, I suspect you are trying it with the wrong version or something. There's a burnable ISO image version of Liberte on the website for you to download, that should work.